Data Protection in a post-Brexit world – what you need to know
This briefing is part one of a two part series. The second part explaining the impact of the Schrems II decision can be found here.
When the Brexit transition period ended on 31 December 2020 the UK became a “third country” for data protection purposes. This has certain ramifications, in theory at least and at this stage, on the transfer of data between the EU and UK.
The end of the transition period – what happens now?
Data transfers from the EU to the UK will only continue freely and uninterrupted, as they did prior to Brexit, if the European Commission (EC) grants what is known as an adequacy decision over UK data protection laws.
An adequacy decision is a decision by the EC that a third country has acceptable data protection laws and safeguards for the purposes of data transferred to that country from the EU; that is, laws which offer an equivalence of protection to that of the EU. If the UK is not granted an adequacy decision, the transfer of data from the EU to the UK can only continue in limited circumstances; under the Standard Contractual Clauses, Binding Corporate rules or under a derogation of Article 49 of the EU General Data Protection regulation.
The UK has effectively adopted its own version of the GDPR, UK GDPR, which came into force on 1 January 2021, and has already granted an adequacy decision over EU data protection laws. Therefore, transfers of personal data from the UK to the EU were not impacted by the end of the transition period and these transfers can continue as they did before the UK left the EU.
The UK has also agreed that EC adequacy decisions on third countries that were made prior to 31 December 2021 will be recognised as adequate under UK GDPR, allowing for unrestricted data transfers to continue freely from the UK to those third countries as it did prior to Brexit.
Data Transfers from the EU to UK: The Current Situation under the Trade Cooperation Agreement
While the UK has not yet been granted an adequacy decision by the EC, the implementation of the EU-UK Trade Cooperation Agreement (TCA) provides for an interim period in which data transfers shall continue as if the UK were a member of the EU while the EC makes a decision on the adequacy of UK data protection laws.
The agreement stipulates that the UK will not be treated as a third country for data transfer purposes until 1 May 2021. A further extension is possible to 1 July 2021 if a decision on adequacy has not yet been reached (provided there are no objections to this extension from the UK or any EU member state).
Under the terms of the TCA, the UK cannot amend its data protection legislation during this interim period without approval from the TCA Partnership Council. The Council is a bilateral body established to deal with any disputes arising under the TCA. If an amendment is made without such approval the interim period will immediately terminate and the UK will be treated as a third country without an adequacy decision.
While it is hoped that the UK obtains an adequacy decision, there is no guarantee that one will be granted, let alone granted before the end of the interim period. Businesses that partake in the transfer of data to and from the EU should therefore be prepared for the scenario where the UK is treated as a third country without an adequacy decision.
Data Transfers from the EU to the UK where no decision on adequacy is granted
As mentioned earlier, should the UK data protection laws not receive an adequacy decision, data transfers from the EU to the UK can only take place if they rely on certain safeguards set out in the GDPR; namely:
- Standard Contractual Clauses (SCCs)
- Binding Corporate rules
- Derogations permitted under Article 49 GDPR.
Whilst consideration should be given to each of the above methods, the SCCs are the method most commonly used by businesses for enabling the transfer of personal data from the EU to third countries.
The SCCs are model data protection clauses that place contractual obligations on the data exporter and data importer and which have the aim of ensuring that appropriate safeguards are in place for the transfer of personal data to a third country.
Businesses that currently export data to the UK from the EU will need to consider adding the SCCs to their contractual agreements should the UK not receive an adequacy decision by the end of the interim period.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.